Get access to REST API

The Google Pay API for Passes helps you add and manage loyalty cards, gift cards, offers, event tickets, boarding passes for flights, and transit passes inside
the Google Pay app. To start, register your project, connect it to the Google Pay API
for Passes Merchant Center, and then set up your web service for OAuth 2.0.

1. Register your application

All applications that access a Google API must be registered through the
API Console. The result of this registration process is a set of values that are known
only to Google and your application (client ID, email address, and private key). To register your
application:

Sign up
for Google Pay API for Passes access. If you have already done this, you may skip this step.

Click the Create Project button or select Create a Project
from the dropdown located at the top of the page. The New project page appears.

Enter a project name.

Click Create. When configuration is complete, a notification appears in the
top right corner. Click on this notification to navigate to the project's home page.

Click Go to APIs overview. Then, click ENABLE APIS AND SERVICES.

Search for Google Pay Passes API, and click Enable.

Click Credentials in left-hand menu.

Click the Create Credentials button then select
Service Account Key.

Create your service account key on the page, where you may need to create a service account as
well. No additional roles are needed for this service account. Choose json as the key type
and then click Create.

A new Service Account has been added to your list of accounts and a private key is downloaded
to your local file system. This is the only copy of this key, and you are responsible for
keeping this key file in a secure location. You will use this key later.

Copy the Service Account Email of the key, which is found by clicking Manage service
accounts from the Credentials tab. You will use this address later.

Warning: Your private key must be stored and managed securely by you for
both the developer and the production environments. Google only stores a copy of the public key.
More information on managing your service account private key can be found
here.

2. Tie your service account to your Google Pay API for Passes account

Your Google Pay API for Passes account should have been created for you by your Google point of
contact. The Google Pay API for Passes Merchant Center is a web site you can use to manage your
account and all your associated classes and objects. Follow these steps to tie your service account
to the Google Pay API for Passes Merchant Center:

Select your account from the list. The Account Info page is displayed.

Note: Make a note of your Issuer ID. You will use it later when
you make API calls.

Click Share. The Share settings appear.

From the Register Your Application section, copy the Service Account
Email of the key (ends with @<your_domain>.iam.gserviceaccount.com) and paste
it in the Invite people field.

Make sure the permissions dropdown is set to can edit then click
Send. Your service account is now tied to your Google Pay API for Passes
account. You are now ready to issue REST calls to the API.

3. Use OAuth 2.0 for your Server to Server application

The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those
between a web application and Google Cloud Storage. The requesting application has to prove its
identity to gain access to an API, without any end-user involvement.

You need to obtain an access token to authorize your API requests. We strongly recommend that
you use a client library to simplify the process.

You will use the resulting credential when you execute REST API commands, such as inserting a
class.

Obtain an access token manually

Refer to
Using OAuth 2.0 for Server to Server Applications
to manually obtain an access token. You will need to create a JSON Web Token (JWT) and sign it with
the private key, then construct an access token request in the appropriate format. After that, your
application sends the token request to the Google OAuth 2.0 Authorization Server and an access token
gets returned. Your application can access the API only after receiving the access token.
When the access token expires, your application must repeat this process.

The iss field in the JWT claim set uses the Service Account email address
generated from the Google API Console in
the Register your application section.

The scope field in the JWT claim set is a space-delimited list of permissions that
the application requests.

The valid scope for production applications is https://www.googleapis.com/auth/wallet_object.issuer.